Using HTTPS on Cisco devices

Network administrators need sometimes to a user-friendly way other than the CLI, in order to easily configure, monitor, and manage their networking devices. That need becomes more important especially when monitoring the network, or when configuring some complex aspects such as VPNs.


This is why it is highly recommended for them to enable graphical-user interface (GUI) using reliable & secure protocols such as HTTPS.

As a brief definition, Hypertext Transfer Protocol Secure (HTTPS) is a result of layering the standard HTTP on top of the SSL/TLS protocol, from where it gets the encryption capabilities. The main benefit of using HTTPS is to prevent spying secret & confidential information.

Configuration Guidelines

1. Configure hostname (which sould be different from the default one) & domain name

Router#config t
Router(config)# hostname R1
R1(config)# ip domain-name

2. Create a local superuser (with all privileges)

R1(config)# username webadmin privilege 15 secret [email protected]!

3. Enable HTTPS, disable HTTP & redirect authentication towards the local database

R1(config)# ip http secure-server

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

R1(config)# no ip http server
R1(config)# ip http authentication local

It is important to highlight here that when enabling HTTPS, by default 1024 RSA keys will be generated automatically.

4. Change the default port number

R1(config)# ip http secure-port 40403

5. Configure HTTPS timeout policies

R1(config)# ip http timeout-policy idle 60 life 1200 requests 5000

It is important to highlight here the following points:

    • The idle time-out of a connection is set to 60 seconds
    • The connection life-time is set to 1200 seconds (20 minutes)
    • The maximum number of requests allowed is set to 5000

6. Use ACL as additional filter

R1(config)# access-list 1 permit host
R1(config)# access-list 1 permit
R1(config)# ip http access-class 1

It is important to highlight here the following points:

    • Users that are not permitted in the ACL will be rejected directly (i.e. they will not be prompted to authenticate themselves).
    • The ACL acts as the first barrier and the authentication as the second one.

7. Basic verification

Test from a neighboring device:
R2# ping
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R2# telnet 443
Trying, 443 ...
% Connection refused by remote host

R2# telnet 40403
Trying, 40403 ... Open


Sorry Comments are Disabled